How to check if your Apple Silicon Mac is booting securely

https://eclecticlight.co/2025/08/21/how-to-check-if-your-apple-silicon-mac-is-booting-securely/

101•shorden•5mo ago

Comments

userbinator•5mo ago

s/booting securely/running only the code Apple approves of/g

bapak•5mo ago

You can run unverified code if you build it yourself. You can distribute unverified code by just paying $99/year to Apple. Not great, but still no need for specific code approval.

cyberax•5mo ago

Not if you want to use some features like bridged networking. For that you need to go and beg Apple for an entitlement. Or you have to disable SIP entirely.

Barbing•5mo ago

They respond to the begging as incredibly well as they respond to feedback/bug reports, right?

cyberax•5mo ago

To be fair, they _do_ respond well in this particular case. But you have to write an email to a developer somewhere in Apple, as there is no established process.

Gigachad•5mo ago

You can run whatever scripts you want without paying anything. Pretty sure the signing thing only applies to .app programs.

arcticbull•5mo ago

Not exactly, distribution conversation aside this is specific to kernel extensions. Apple's been moving drivers out of kernel space and into user space for several years [1]. There's a lot of good reasons for doing so, and not a lot of drawbacks. I'd consider this to be a strongly worded API deprecation notice.

[1] https://developer.apple.com/documentation/driverkit

bduhan•5mo ago

I had to do this today for a Universal Audio Apollo audio interface. Glad it’s on a dedicated machine.

https://help.uaudio.com/hc/en-us/articles/360057137692-Apple...

Barbing•5mo ago

Interesting. They need that for lowest-possible latency? And it should be fairly safe?

arcticbull•5mo ago

Assuming they're USB devices they shouldn't be a reason to do this... Apple moved third-party drivers for USB devices and audio HAL extensions to user space, so there's some minor overhead choosing DriverKit over IOKit. Everything I've dug up says it's low single digit percentages. I wouldn't be developing USB drivers against IOKit anymore personally and I'd be looking to move over pretty aggressively before Apple drops the hammer.

nottorp•5mo ago

How about file system drivers? If there is such a thing any more... fuse and friends...

_mlbt•5mo ago

There is a port of FUSE for macOS, and Apple also has a first party API for this called FSKit…

https://developer.apple.com/documentation/fskit

nottorp•5mo ago

I know there was a port of FUSE. But iirc it requires old style extensions. Has it changed?

_mlbt•5mo ago

Per the MacFUSE documentation…

> macFUSE 5.0 supports multiple APIs for mounting file systems.

> By default, macFUSE uses the VFS API to mount file systems. When specifying the mount-time option -o backend=fskit, macFUSE will use FSKit to mount the file system.

https://github.com/macfuse/macfuse/wiki/FUSE-Backends

SebFender•5mo ago

UAD drivers have always been very creative... lol

Barbing•5mo ago

Useful, thank you! Looks like the author just enjoys helping fellow nerds. Nice

8ig8•5mo ago

Dr Howard Oakley. I think of him as an OG Mac guy.

Citizen8396•5mo ago

His site is filled with gems like this one.

ostensible•5mo ago

`man csrutil`

saagarjha•5mo ago

Note that checking anything in userspace on a compromised machine does not actually prove that the machine is not compromised. It is very easy to boot insecurely and then make everything lie that the boot was secure.

Citizen8396•5mo ago

Recovery exists in a separate partition protected by SIP; it's set up this way to so that 99.99% of scenarios require a local, physical attack. "recoveryOS" is also bound to the specific APFS volume of the device. There's more to it than that, but you can be reasonably sure that recoveryOS isn't lying to you.

Sure, you can make an argument someone gave you a special device with a fake OS... but anyone willing to do that has much more simple ways to fuck with you.

daft_pink•5mo ago

The problem is if you enable filevault then you can’t ssh into the mac remotely until someone locally logs in.

Means I end up using filevault on my laptop, but not on my desktop.

We Mourn Our Craft

I Write Games in C (yes, C)

Hoot: Scheme on WebAssembly

SectorC: A C Compiler in 512 bytes

Stories from 25 Years of Software Development

U.S. Jobs Disappear at Fastest January Pace Since Great Recession

OpenCiv3: Open-source, cross-platform reimagining of Civilization III

The AI boom is causing shortages everywhere else

Al Lowe on model trains, funny deaths and working with Disney

The Waymo World Model

Reinforcement Learning from Human Feedback

Brookhaven Lab's RHIC Concludes 25-Year Run with Final Collisions

Start all of your commands with a comma (2009)

Vocal Guide – belt sing without killing yourself

France's homegrown open source online office suite

Coding agents have replaced every framework I used

A Fresh Look at IBM 3270 Information Display System

Show HN: I saw this cool navigation reveal, so I made a simple HTML+CSS version

History and Timeline of the Proco Rat Pedal (2021)

Selection Rather Than Prediction

72M Points of Interest

Unseen Footage of Atari Battlezone Arcade Cabinet Production

Where did all the starships go?

Show HN: Look Ma, No Linux: Shell, App Installer, Vi, Cc on ESP32-S3 / BreezyBox

Learning from context is harder than we thought

Monty: A minimal, secure Python interpreter written in Rust for use by AI

Show HN: Kappal – CLI to Run Docker Compose YML on Kubernetes for Local Dev

Hackers (1995) Animated Experience

Making geo joins faster with H3 indexes

Sheldon Brown's Bicycle Technical Info

We Mourn Our Craft

I Write Games in C (yes, C)

Hoot: Scheme on WebAssembly

SectorC: A C Compiler in 512 bytes

Stories from 25 Years of Software Development

U.S. Jobs Disappear at Fastest January Pace Since Great Recession

OpenCiv3: Open-source, cross-platform reimagining of Civilization III

The AI boom is causing shortages everywhere else

Al Lowe on model trains, funny deaths and working with Disney

The Waymo World Model

Reinforcement Learning from Human Feedback

Brookhaven Lab's RHIC Concludes 25-Year Run with Final Collisions

Start all of your commands with a comma (2009)

Vocal Guide – belt sing without killing yourself

France's homegrown open source online office suite

Coding agents have replaced every framework I used

A Fresh Look at IBM 3270 Information Display System

Show HN: I saw this cool navigation reveal, so I made a simple HTML+CSS version

History and Timeline of the Proco Rat Pedal (2021)

Selection Rather Than Prediction

72M Points of Interest

Unseen Footage of Atari Battlezone Arcade Cabinet Production

Where did all the starships go?

Show HN: Look Ma, No Linux: Shell, App Installer, Vi, Cc on ESP32-S3 / BreezyBox

Learning from context is harder than we thought

Monty: A minimal, secure Python interpreter written in Rust for use by AI

Show HN: Kappal – CLI to Run Docker Compose YML on Kubernetes for Local Dev

Hackers (1995) Animated Experience

Making geo joins faster with H3 indexes

Sheldon Brown's Bicycle Technical Info

How to check if your Apple Silicon Mac is booting securely

Comments